Old Windows Malware Tried to Infect Users of 132 Android Apps

Security researchers have revealed that over 132 Android apps on Google Play were hiding malware that was designed specifically for the Windows operating system. The malware had no repercussions for Android users and researchers also found that two of the domains, brenz.pl and chura.pl, used in the attack were taken down by Polish security nearly 4 years ago.

Windows malware found in Google Play Store

Security firm Palo Alto Networks claims that the malicious code arrived in the form of “tiny hidden IFrames” – HTML documents embedded inside other HTML documents. These documents were linking out to well-known malicious domains from within the apps. The infected apps were found to be developed by unrelated developers, however, all of them appear to originate from Indonesia. The security firm added that the developers probably had no clue about the existence of malware in their developed apps.

The 132 infected apps we discovered belong to seven different, unrelated developers. There is a geographical connection among the seven different developers: all seven have connections to Indonesia. The most straightforward clue comes from the app name. A significant number of discovered samples have the word “Indonesia” in their names. Moreover, one developer’s website links to a personal blog page written in Indonesian. The clearest pointer, though, is one developer’s certificate clearly states the state to be Indonesia […]

We believe the developers are not malicious and are victims in this attack.

Incident represents a “novel way for platforms to be a ‘carrier’ for malware”

How did the attack start then and what was the goal of malware targeting an irrelevant OS? Palo Alto Networks suggests that the developers probably reused the same code without knowing it was malicious.

One common way HTML files have been infected with malicious IFrames has been through file infecting viruses like Ramnit. After infecting a Windows host, these viruses search the hard drive for HTML files and append IFrames to each document. If a developer was infected with one of these viruses, their app’s HTML files could be infected. However, given that the developers may all be Indonesia, it’s also possible they may have downloaded an infected IDE from the same hosting website or they used the same infected online app generation platform.

There are a few other pieces of supporting evidences from our investigation:

All samples share similarities in their coding structure, suggesting that they may be generated from the same platform;

Both malicious domains used resolve to sinkholes. If developers were the attacks behind all these, they could have replaced them with working domains to cause real damage;

One infected sample attempts to download windows executable file. It suggests that, the attacker does not know about the target platform. Clearly, this is not the case for app developers.

Palo Alto researchers confirmed that the infected apps will not cause damage to Android users. “However, this does represent a novel way for platforms to be a “carrier” for malware: not be infected themselves but spread the malware to other platforms without realizing it,” the security firm said. “Similar to the XcodeGhost attack we identified in 2015, this threat shows how attacking developers can impact end-users.”

The cybersecurity firm reported its findings to Google’s Security Team, which has now taken down all the infected apps from the Google Play Store.